DEV Community: Hariharen S.S

Building Scync: Why I made a Zero-Knowledge Secrets Manager for us, Developers.

Hariharen S.S — Tue, 05 May 2026 11:12:55 +0000

You have 47 API keys. You know where exactly zero of them are.

Your secrets are scattered across a digital wasteland. One is in a .env file you’re terrified to delete. Another is buried in a 2022 Slack DM. Your AWS credentials live in a Notion page titled "stuff", and your 2FA codes are trapped on a phone you're about to trade in. When you need an API key, you experience one of two realities: you find it in three seconds, or you spend 45 minutes regenerating it and updating six projects. There is no in-between.

This isn't a workflow problem. It is a missing tool problem.

Why Existing Tools Don't Solve It

When you look for a solution to this, you quickly realize the market is deeply polarized. You either get a consumer password manager or an enterprise infrastructure behemoth. Neither is built for the solo developer managing API keys, .env files, and recovery codes.

Tool	The Reality
Bitwarden / 1Password	Built for website passwords (username/URL/password), not developer secrets. They lack dedicated metadata, rotation tracking, and are incredibly awkward for storing multi-line recovery codes or `.env` files.
Infisical / Doppler	Designed for engineering teams and CI/CD pipelines. You need a screwdriver; they are handing you an entire automated factory. Overkill for a solo dev.
HashiCorp Vault	You need a dedicated server and two weeks of free time just to understand the architecture before you can store a single key.
Notion / Apple Notes	Zero encryption at rest. Notion staff can read your secrets. You know this is a terrible idea. You still do it because it’s convenient.
KeePassXC	Phenomenal security, but no native cloud sync. Your phone has absolutely no idea your desktop vault exists.

There is no tool that is personal-first, zero-knowledge, cross-platform, open source, and actually pleasant to use.

So, I built one. I call it Scync (Your secrets. Synced. Encrypted. Everywhere.). It’s an open-source, zero-knowledge secrets manager built specifically for developers.

The Architecture

To build Scync, I had a strict set of principles: one codebase for all platforms, zero-knowledge by default, and speed as a feature. The core loop of the app—Unlock vault → Find secret → Copy value—had to be instantaneous.

The Monorepo

Scync is structured as a Turborepo-managed monorepo using pnpm. The architecture strictly separates the UI and cryptographic logic from the deployment shells.

packages/core: The brain. Contains all the Web Crypto API logic, TypeScript types, and Firebase configurations. No UI code lives here.
packages/ui: The shared React component library, design system (Tailwind CSS), and Zustand state stores.
apps/web: The Vite + React web application (deployed as a PWA for mobile).
apps/desktop: An Electron (v28+) wrapper around the web build.

Because of this structure, 100% of the React application logic is shared. There is no separate React Native codebase.

State Management & On-Demand Decryption

The state management, handled by Zustand, is where the security architecture dictates the software architecture.

In Scync, your plaintext secrets are never held in the global React state. The vaultStore only holds the CryptoKey (while unlocked) and an array of StoredSecret objects, which contain the encrypted AES-GCM blobs straight from Firestore.

Decryption happens on-demand. When you click "Copy" or "Show Value" on a secret, the app decrypts the value in memory, writes it to your clipboard (or renders it for 15 seconds), and immediately discards the plaintext. If a malicious script dumps your browser's heap memory, it will only find AES ciphertexts, not your OpenAI keys.

The Backend: Firebase (Blindly)

I chose Firebase for the backend because it offers real-time cross-device syncing via Firestore out of the box. However, Firebase is kept completely blind.

Scync separates Layer 1 (Identity) from Layer 2 (Encryption). Firebase Auth (Google Sign-In) handles your identity. It gives you a uid so Firestore knows which documents you are allowed to read. But Firebase Auth has nothing to do with decrypting your data. If someone hacks your Google account, they just get access to a database of mathematically unreadable blobs.

The Crypto Deep-Dive

"Zero-knowledge" is a term thrown around loosely in marketing. In Scync, it is enforced by math. The server never receives plaintext. The encryption implementation uses strictly the browser-native Web Crypto API—no third-party crypto libraries to audit.

Here is exactly how your data is protected.

1. Key Derivation (PBKDF2)

When you log in, you are prompted for a Vault Password. This password never leaves your device.

To derive the actual 256-bit AES encryption key from your human-readable password, Scync pulls a non-secret, 16-byte random salt from your Firebase metadata. It then concatenates your Vault Password with your Firebase uid (to prevent cross-account rainbow table attacks).

This combined material is run through PBKDF2 using a SHA-256 hash for 310,000 iterations (the OWASP 2023 recommendation). The output is a non-extractable CryptoKey object that lives entirely in your device's memory.

2. The Verifier Pattern

If we don't send the Vault Password to the server, and we don't store a hash of it, how does the app know if you typed the correct password when you try to unlock the vault?

We use an encrypted verifier.
During your first-time setup, after deriving your key, Scync takes the plaintext string "Scync_VALID_v1", encrypts it using AES-256-GCM, and stores the resulting ciphertext and Initialization Vector (IV) in your Firestore metadata.

Every time you unlock the vault subsequently:

You type your password.
Scync derives a temporary key in memory.
It attempts to decrypt the stored "Scync_VALID_v1" ciphertext using that temporary key.
If it succeeds, the password is correct, and the vault unlocks.
If it throws an error (because AES-GCM includes an authentication tag that fails on wrong keys), the app knows the password was wrong. No password hashing required.

3. Encryption (AES-256-GCM)

Every single secret value and note is encrypted using AES-256-GCM.

Crucially, a fresh 12-byte random IV is generated for every single field, every single time it is saved. Even if you save the exact same API key twice, the resulting ciphertexts will look completely different. The ciphertext and the base64-encoded IV are packaged together and sent to Firestore.

(Note: Metadata like the secret's name and service are kept plaintext to allow for lightning-fast, real-time client-side searching without decrypting the entire database. A full-encryption mode is planned for V2).

4. Biometric Unlock via WebAuthn PRF

Typing a 20-character master password on a mobile device is miserable. But storing that password in plaintext defeats the purpose of a zero-knowledge architecture.

To solve this, Scync leverages the WebAuthn PRF (Pseudo-Random Function) extension.
When you enable FaceID or TouchID, your device's hardware (Secure Enclave/TPM) creates a deterministic symmetric key. Scync uses this hardware-level key to locally encrypt (or "wrap") your Vault Password, storing the wrapped version in your local storage.

When you use FaceID, the hardware re-derives the key, unwraps your Vault Password into memory, and feeds it into the PBKDF2 derivation function. You get native-speed unlocks without compromising the zero-knowledge model.

What I Learned

Building a secure, local-first application fundamentally changes how you view modern web development. Here are my biggest takeaways from building Scync:

1. The Web Crypto API is incredibly powerful (and underutilized).
Five years ago, building this would have required importing heavy, difficult-to-audit libraries like crypto-js or forge. Today, the native window.crypto.subtle API provides highly performant, NIST-standardized cryptography right in the browser. The fact that you can generate non-extractable keys—meaning even XSS attacks have a remarkably hard time stealing the actual key material from memory—is a massive win for frontend security.

2. "Opinionated Simplicity" is the hardest feature to defend.
When you build a tool for developers, the immediate feedback is always: "Can you add custom fields? Can you add a plugin architecture? Can you add programmable webhooks?"
It takes immense discipline to say no. Scync forces you to categorize your secrets by environment, service, and type. It natively understands that a .env file is different from a Recovery Code set. By refusing to make it a generic "custom field" database, the UI remains calm, the search remains instant, and the tool remains highly specialized for its actual purpose.

3. State management with raw encrypted data forces better architecture.
Usually, you fetch data from an API, dump it into a Redux or Zustand store, and map over it in your UI. In Scync, doing that would mean keeping dozens of highly sensitive API keys sitting in plaintext memory.
Building an architecture where components rely entirely on encrypted state, and only trigger an async decryption function at the exact millisecond of user interaction (like copying to the clipboard), taught me a lot about strict data lifecycles. It’s a slightly heavier development burden, but the security guarantee is worth it.

Try it / Star it

Scync was built because I was tired of pasting my AWS keys into Notion, and I suspect I'm not the only one.

The project is completely open-source under the MIT License. It will remain free, and there is no "enterprise pricing tier" waiting to trap you.

If you're a developer dealing with the "47 API keys" problem, I invite you to try it out, tear apart the cryptographic implementation, or host your own instance.

Check out the code and star the repo: github.com/hariharen9/Scync
Live application: Scync.space
Read the Security Spec: The complete zero-knowledge architecture and threat model is detailed in SECURITY.md in the repo.

Pull requests are welcome, especially if they make the core loop—Unlock → Find → Copy—even faster.

The Financial Command Center I Built After Years of Failed Budgeting Attempts

Hariharen S.S — Fri, 17 Oct 2025 04:10:16 +0000

For years, my financial life was sinking in a sea of spreadsheets. I had one for my monthly budget, another for tracking investments, and a third for my savings goals. It was a system that, in theory, should have given me control. In reality, it was a source of constant, nagging stress.

Every weekend was the same tedious ritual: hours hunched over my laptop, manually entering transactions, wrestling with formulas, and trying to connect the dots. I was drowning in data but starved for clarity. Missing even a single transaction could throw my entire month off course. The more complex my digital ledger became, the more I dreaded opening it.

I tried countless budgeting apps, but they all fell short. They were either too simplistic to capture the full picture or bloated with features I didn't need, hidden behind clunky interfaces and hefty subscription fees. I felt like I was trying to force a square peg into a round hole.

The breaking point? I missed a credit card payment. Not because I didn't have the money, but because the due date was simply lost in my spreadsheet maze. That was it. I’m a developer—I build solutions for a living. Why was I tolerating this chaos in my own life?

It was time to build my own lifeboat. SPENDWISER

The Vision: A Financial Command Center

I didn't want to build just another budgeting app. I wanted a true financial command center—a single, elegant dashboard where I could see everything from my daily spending to my long-term goals. It had to be a tool that would empower me, not overwhelm me.

I built it on three core principles:

Clarity Over Complexity: Powerful insights without a steep learning curve. The data should serve you, not the other way around.
Radical Accessibility: Your financial picture, available on any device, anytime, anywhere.
You Are in Control: Your data is yours. Full stop. The app must be transparent, customizable, and secure.

With this vision as my North Star, I started building SpendWiser.

Introducing SpendWiser: Your Personal Finance First Mate

SpendWiser is the culmination of months of work, born from a genuine need to take back control. It’s the app I always wished I had, and now, I want to share it with you.

Here's how SpendWiser puts you back at the helm:

Financial Cockpit (The Dashboard): Your mission control. Get a real-time, at-a-glance overview of your entire financial world: account balances, budget tracking, recent transactions, and goal progress. It's the first thing you see, and it instantly tells you exactly where you stand.
Seamless Transaction Tracking: Ditch the manual data entry for good. Add transactions in seconds, categorize your spending, add notes, and see a running list of all your income and expenses. Have a backlog? Easily import it from a CSV file.
Budgets That Empower, Not Restrict: Budgeting isn't about restriction; it's about mindful spending. Set monthly budgets for categories like groceries, entertainment, or transport. SpendWiser shows you how you’re tracking in real-time, helping you make smarter decisions throughout the month.
From 'Someday' to 'Scheduled' (Goals): We all have financial goals—a dream vacation, a new car, a down payment on a home. SpendWiser helps you turn those dreams into actionable plans. Set a target amount and a date, and watch your progress unfold.
Tame Your Debts (Loans & Credit Cards): It’s easy to lose track of what you owe. SpendWiser provides a dedicated space to manage your loans and credit cards, so you always have a clear picture of your balances and upcoming due dates.
Crafted For You, By You (Settings): Your financial journey is personal, and your tools should be too. Customize SpendWiser with light or dark mode, your preferred currency, and even different fonts to make it feel like home.

Why SpendWiser Isn't Just Another Budget App

In a crowded sea of finance apps, SpendWiser stands apart. Here’s why:

Built on Trust (It's Open-Source): No secrets. You can see exactly how SpendWiser works by viewing the code on GitHub. This means radical transparency and the assurance that your data is handled securely. You are always in control.
Works Everywhere (It's a PWA): SpendWiser is a Progressive Web App. Use it on any device with a web browser—phone, tablet, or desktop. It's fast, responsive, and you can even "install" it to your home screen for an app-like experience without visiting an app store.
100% Free. And Always Will Be: No ads. No subscription fees. No premium features behind a paywall. I built this to solve a real problem, not to make a profit.

Join the Voyage

I built SpendWiser to solve a problem that I know many of us face. Now, I want to make it even better, and that’s where you come in.

🚀 Take SpendWiser for a Spin: See if it can be the lifeboat you've been looking for. [Link to your app]
💬 Share Your Feedback: I'm eager to hear what you think. What do you love? What's missing? Your insights will shape the future of the app.
⭐ Become a Star on GitHub: If you believe in this project, giving it a star on GitHub is the single most powerful way to show your support. It helps others discover SpendWiser and validates the hard work that has gone into it.

Please, Star SpendWiser on GitHub!

Thank you for reading my story. I hope SpendWiser can help you navigate the often-choppy waters of personal finance.

Let’s take back control, together.

LocalSeek: A Privacy-First, Visually Stunning, Localized AI Chat for VS Code

Hariharen S.S — Sun, 02 Feb 2025 09:22:31 +0000

In an era where data privacy and efficiency are paramount, developers often find themselves balancing innovative AI-powered solutions with the need to protect sensitive code and personal data. What if you could harness the power of advanced AI without ever sending your data offsite? Enter LocalSeek — a new Visual Studio Code extension that brings a full-fledged AI chat interface directly into your development environment, all while keeping every interaction local. In this article, we’ll explore how LocalSeek is changing the way developers work, its core features and benefits, its technical architecture, and why it represents a significant step forward in AI-assisted development.

The Landscape of Developer Tools and AI Integration

Modern development environments have evolved far beyond simple code editors. Today’s integrated development environments (IDEs) and code editors like Visual Studio Code (VS Code) offer a rich ecosystem of plugins and extensions that enhance productivity. From version control integration to debugging tools, the developer workflow is supported by countless tools designed to simplify complex tasks.

However, as AI becomes an increasingly critical part of our toolchain — helping to generate code, provide recommendations, and assist with debugging — the question of data privacy looms larger than ever. Many existing AI tools rely on cloud processing, which means that sensitive code and user interactions are sent offsite for processing. For many professionals, especially those working in secure or regulated environments, this can be a deal-breaker.

LocalSeek addresses this challenge head-on. By processing all interactions locally, it offers a unique blend of AI assistance and uncompromised privacy with immaculate Visual Appeal. Let’s take a closer look at how LocalSeek works and why it’s a game-changer for developers.

Introducing LocalSeek:

LocalSeek is more than just an AI chatbot — it’s a comprehensive extension that transforms your VS Code environment into a powerful AI-enabled workspace. The primary vision behind LocalSeek is simple yet profound: to provide developers with a seamless, efficient, and secure AI tool that operates entirely on their local machines.

https://marketplace.visualstudio.com/items?itemName=Hariharen.localseek
You can also download the .vsix from this repo’s releases — https://github.com/hariharen9/localseek/

Key Aspects of the Vision

Privacy-First: LocalSeek is built with an unwavering commitment to privacy. Unlike many cloud-based AI tools, it ensures that your data never leaves your computer. This is especially important for developers working on proprietary or sensitive projects.
Beautiful UI: LocalSeek is designed with a clean, modern, and intuitive interface. The visually appealing layout ensures a smooth user experience, making interactions with the AI both efficient and enjoyable.
Local Processing: By leveraging local resources and models, LocalSeek delivers faster response times. This means reduced latency compared to cloud-based solutions, which can be critical during intense coding sessions.
Seamless Integration: The extension integrates effortlessly into VS Code. With a dedicated sidebar and standalone chat panel, it’s designed to enhance your workflow without overwhelming your interface.
Flexible Model Support: LocalSeek isn’t tied to one specific model. Instead, it works with any Ollama-compatible model, giving developers the flexibility to choose the AI that best fits their needs.

FEATURES OF LocalSeek

Understanding the technical underpinnings of LocalSeek helps appreciate its capabilities and the thoughtful design choices that set it apart.

Beautiful, Functional UI
LocalSeek isn’t just about functionality — it also prioritizes a sleek, modern user experience. The extension’s UI leverages the VS Code Webview API to create an interface that is both visually appealing and highly interactive. With mobile-inspired controls like “Talk, Copy, Exit,” the design aims to make interactions feel natural and intuitive, even if you’re used to working on a desktop.

Local AI Interaction
At its core, LocalSeek processes all AI interactions directly on your machine. This is achieved by interfacing with locally installed AI models using the Ollama platform. Ollama provides a flexible framework for running various language models locally, allowing LocalSeek to support a range of models from lightweight options like Phi-3 to more robust ones like DeepSeek-R1.

The VS Code Extension Ecosystem
LocalSeek is developed as a VS Code extension, utilizing the platform’s extensive APIs to deliver a rich user experience. The extension features:

A Dedicated Sidebar Chat View: This panel provides immediate access to your AI chat interface without disrupting your coding environment.
Standalone Chat Panel: For developers who prefer a full-screen view, a standalone chat option is available via the Command Palette (Ctrl+Shift+P).
Instant Model Switching: The extension includes a dropdown for selecting among multiple AI models. This flexibility allows developers to experiment and switch between models based on task-specific requirements.

Markdown-Enhanced AI Responses
One of the standout features of LocalSeek is its support for Markdown formatting in AI responses. This means that code snippets, documentation, and other rich content are displayed clearly and are easy to follow. The result is an interface that not only provides accurate AI-driven insights but also presents them in a clean, readable format that aligns with the aesthetics of modern coding environments.

Getting Started: Installation and Configuration

Getting started with LocalSeek is straightforward. Here’s a detailed guide to installing and configuring the extension in your VS Code environment.

Prerequisites
Before you begin, ensure that you have the following:

Visual Studio Code (v1.96.0 or newer): The latest version is recommended to ensure compatibility with the extension.
Ollama Installed Locally: This is the backbone of LocalSeek’s AI capabilities. You can download Ollama from its official site.
Hardware Requirements: A minimum of 8GB of RAM is recommended for optimal performance, especially when running larger models.
At Least One Ollama-Compatible LLM Model: While LocalSeek supports a variety of models, DeepSeek-R1 is highly recommended as a starting point.

Recommended Model Installations

Once you have Ollama installed, you can pull your preferred models using the following commands:

# Pull recommended models
ollama pull deepseek-r1:14b   # High-performance option
ollama pull mistral           # Balanced performance
ollama pull llama3.2          # Versatile model for various tasks
ollama pull phi3              # Lightweight and efficient option

Installation Methods

LocalSeek can be installed via two methods:

Visual Studio Code Marketplace:

Open the Extensions sidebar (Ctrl+Shift+X) in VS Code.
Search for “LocalSeek” and click “Install.”

Manual VSIX Installation:

Download the VSIX package from the LocalSeek Releases page.
In VS Code, open the Extensions view.
Click the “…” menu and select “Install from VSIX.”
Navigate to and select the downloaded file.

Configuring LocalSeek

After installation, configuring LocalSeek is simple. Most settings can be adjusted directly within VS Code’s settings interface:

Access Settings: Press Ctrl+, or navigate to the settings via the gear icon.
Search for “LocalSeek”: This will bring up all configurable options, including the Ollama Host configuration.
Modify Settings as Needed: Customize the connection details or adjust interface settings to suit your preferences.

Repository Link — https://github.com/hariharen9/localseek/

VSCode Marketplace Link — https://marketplace.visualstudio.com/items?itemName=Hariharen.localseek

Conclusion: Embracing the Future with LocalSeek

LocalSeek is more than just an AI chat extension — it’s a forward-thinking solution designed to meet the evolving needs of developers in a data-sensitive world. By processing all interactions locally, it offers unparalleled privacy and speed, making it an indispensable tool for anyone looking to enhance their coding workflow without compromising on security.

From its stunning UI and seamless integration with Visual Studio Code to its flexible support for multiple AI models, LocalSeek represents a significant step forward in the realm of AI-assisted development. It not only addresses the pressing concerns around data privacy but also paves the way for a future where developers can harness the full potential of AI without any of the drawbacks associated with cloud-based processing.

Whether you’re a developer working on sensitive projects, a hobbyist exploring the possibilities of local AI, or someone simply curious about the future of intelligent code assistance, LocalSeek offers a robust, efficient, and secure solution. Embrace a new era of development where your code — and your privacy — remain firmly in your hands.

Developed with ❤️ by Hariharen